God forbid anyone decides to read the inane conversations I have with ChatGPT. They should be so lucky.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Silicon Security Flaw Discovered in iPhone 12 and M2 MacBook Air
- Thread starter MacRumors
- Start date
- Sort by reaction score
And if someone steals your Macbook or Macbook Pro, correct me if I am wrong, if you have FileVault enabled and a relatively strong login password, they probably will just wipe the drive and resell it, right?
Of course if there was something specific in your hard drive they were after, that is different, but for 99 percent of Laptop thieves, I would imagine they are only after the quick cash of selling it fast.
I've read the original article (and other things), and almost everyone has gotten this wrong, including MacRumors.
First, local access is NOT required for a Mac. The key requirement is that the attacking code must run simultaneously with the attacked code. Therefore it's sort-of required for an iphone or ipad, in the absence of other exploits or a jailbreak, because you can't get simultaneous execution of GPU code. This isn't completely true since you can multitask on ipads using split screen or stage manager, but that's a pretty tall hurdle.
Second, this is NOT a vulnerability in the silicon at all. It also has nothing to do with speculative execution. It's a simple lack of memory protection for some GPU code, due to people being lazy, or wanting to maximize performance, or being naive about security. This "bug" is basically a failure of people who never graduated from Remedial Security 001. Really, it's not a bug at all - it's a complete failure of design. Or even, I should say, a failure *to* design, as security was clearly never even considered.
@idmean, good catch. @duervo, you got it. Everyone else (and MacRumors), not so much.
First, local access is NOT required for a Mac. The key requirement is that the attacking code must run simultaneously with the attacked code. Therefore it's sort-of required for an iphone or ipad, in the absence of other exploits or a jailbreak, because you can't get simultaneous execution of GPU code. This isn't completely true since you can multitask on ipads using split screen or stage manager, but that's a pretty tall hurdle.
Second, this is NOT a vulnerability in the silicon at all. It also has nothing to do with speculative execution. It's a simple lack of memory protection for some GPU code, due to people being lazy, or wanting to maximize performance, or being naive about security. This "bug" is basically a failure of people who never graduated from Remedial Security 001. Really, it's not a bug at all - it's a complete failure of design. Or even, I should say, a failure *to* design, as security was clearly never even considered.
@idmean, good catch. @duervo, you got it. Everyone else (and MacRumors), not so much.
An interesting question, but the answer is that your basic assumption is wrong. It's neither cache nor main memory. It's scratchpad RAM, called "local memory" by OpenCL and other things. It exists as part of the GPU, and is a significant factor in total mm^2 size of the GPU cores. It's not cache because it's separately addressable by GPU kernels. It might mostly be a local faster copy of data from main memory, but it's not maintained and managed by the GPU hardware, it's controlled directly by user code (or libraries).
Small followup: Without another exploit to piggyback from, I don't think a hostile web site could exploit this on the Mac (as I mentioned, this is not an issue anyway on iphones and (mostly) ipads), because apparently WebGL does it right, clearing scratchpad/local memory before accessing it. So a remote exploit would have to involve convincing a victim to run malware.
Unfortunately, that's obviously not a very high bar to clear these days.
Unfortunately, that's obviously not a very high bar to clear these days.
Wow. Do any of you who are ripping Apple over and over for a mistake not make any mistakes yourself? You have this idea in your head every single line of code has to be perfect. Every product has to be 100% flaw free. It’s 100% unrealistic expectation of manufacturing and development. It can’t happen and never will happen. Are you like I asked before 100% perfect? No you are not. To ask Apple to be is absolutely ridiculous. Humans are doing the work. We make mistakes. We over look things. This posts are getting ridiculous unless you are perfect and I doubt you are be glad they found the problem and are going to do their job and fix it.
Apple was forced to issue a software update to address the radio signal issue on the 12 series because the idiot regulators in France decided to test the phones in a way that’s not industry standard. In a way it was set up to fail. It’s as ridiculous as regulators suddenly complaining that customers can get electrocuted from plugging in their phone while underwater so Apple must come up with a fix to continue selling their products, for example. 🙄
what a lot of doom and gloom about a vulnerability that on a Mac is likely to require physical access and where with physical access there are so many quicker avenues to exploit almost all the data.
There will always be 'flaws' or potential inroads to data, that is the nature of computing from its inception.
As for Mac's additional methods of security lay at a user's own hands if they choose, but if someone has physical access to your device its likely in some cases the password is written down as I've seen so many people even looking on the back of their hand for the password to their devices including phones!
With banking on mobile devices and with innovation in general, it may brings other potential for fraud/crime, and with any innovation there are upsides and downsides, along with the law of unintended consequences.
On the Mac its so easy to write a heavily encrypted volume where any sensitive data can be held, introducing another level of safeguard, and using some of the old features, quite easy to copy a logo into the volume that is nondescript, such as a picture and similar techniques. There has always been the potential for data loss and in my opinion always will, even when quantum computing rears its head. But that can also drive innovation. Not suggesting often misnamed 'flaws' are a great thing, but they do further understanding, and often solutions to the problem and direction for the next generation of developments.
Often its not the potential exploit especially advertised potential flaws, its flaws people owning the devices that represent a greater problem.
There will always be 'flaws' or potential inroads to data, that is the nature of computing from its inception.
As for Mac's additional methods of security lay at a user's own hands if they choose, but if someone has physical access to your device its likely in some cases the password is written down as I've seen so many people even looking on the back of their hand for the password to their devices including phones!
With banking on mobile devices and with innovation in general, it may brings other potential for fraud/crime, and with any innovation there are upsides and downsides, along with the law of unintended consequences.
On the Mac its so easy to write a heavily encrypted volume where any sensitive data can be held, introducing another level of safeguard, and using some of the old features, quite easy to copy a logo into the volume that is nondescript, such as a picture and similar techniques. There has always been the potential for data loss and in my opinion always will, even when quantum computing rears its head. But that can also drive innovation. Not suggesting often misnamed 'flaws' are a great thing, but they do further understanding, and often solutions to the problem and direction for the next generation of developments.
Often its not the potential exploit especially advertised potential flaws, its flaws people owning the devices that represent a greater problem.
Last edited:
Others have already touched on it, but Apple devices are in no way more secure than most non-Apple alternatives. Living in such a bubble is dangerous.
Be sensible with your data and you're fine. The vast majority of similar security issues on Intel, AMD, etc, require local access too. These are often more widely publicised as the majority of the world runs on Intel and AMD PCs, so it's more mission critical in that sense.
This often skews the perspective of people who for some reason Apple is the holy grail of software and hardware security. In reality all they did was make it more awkward to access such devices with anti-consumer design choices.
When was the last time you saw an entire office filled with iMacs used for banking systems? This is why so many attacks are constantly materialising against the most popular architectures, as it's a huge financial incentive for criminals.
This might hurt the die hard Apple bots deeply, but criminals don't care about getting into your Mac. They can't make money from that birthday card you designed for your niece that one time when your creative side came out to play.
As a side note, using Windows/Linux/Android in the same way as you use iOS/MacOS is equally as secure and these days probably more reliable (although Apple is FINALLY starting to get more competent with software).
Be sensible with your data and you're fine. The vast majority of similar security issues on Intel, AMD, etc, require local access too. These are often more widely publicised as the majority of the world runs on Intel and AMD PCs, so it's more mission critical in that sense.
This often skews the perspective of people who for some reason Apple is the holy grail of software and hardware security. In reality all they did was make it more awkward to access such devices with anti-consumer design choices.
When was the last time you saw an entire office filled with iMacs used for banking systems? This is why so many attacks are constantly materialising against the most popular architectures, as it's a huge financial incentive for criminals.
This might hurt the die hard Apple bots deeply, but criminals don't care about getting into your Mac. They can't make money from that birthday card you designed for your niece that one time when your creative side came out to play.
As a side note, using Windows/Linux/Android in the same way as you use iOS/MacOS is equally as secure and these days probably more reliable (although Apple is FINALLY starting to get more competent with software).
FineWoven, The worst case apple has ever made. Just get a silicone cas-
I wouldn't buy any Apple branded case. They all suck.
Im not perfect but equally Im not designing operating systems and CPU's and since Apple had a fatal flaw in the M1 that could not be patched finding another flaw to do with the security of the GPU in M2's isn't great either, so I think Apple should do better. Hopefully this will get patched with 17.3 and 14.3 next week (if its released next week) but I do wonder if Apple hope paranoia will make some people update a perfectly good computer because there is a new chip in town. That I have to say is just a giant waste of money as I see it.
Don’t make your friend make pointless/redundant decisions like that. She’ll neither be important or influential enough to be targeted by this. And like others have said they’ll be plenty of other vulnerabilities found on each device.